If the gauntlet hadn’t been thrown before to protect financial and banking customers’ data, it’s definitely lying on the floor now. The recent circular bulletin from the CFPB makes it clear that financial institutions can’t slow-walk any security upgrades: “Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation” of CFPB regulations or even the Dodd-Frank act. It also provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols, and recently issued a statement via Twitter urging consumers to report financial institutions that do not offer sufficient multi-factor authentication (MFA) options.

Given the weight of the news, the circular is getting the attention of legal departments at banks and other financial institutions around the country. Some may have implemented phishing-resistant multi-factor authentication (MFA) solutions like security keys already across their employee network, but others may still be searching for a solution – especially at distant locations like local bank branch offices. 

To better understand how organizations can take action to avoid future violations, the circular goes on to define exactly what a violation is:

(Something) that causes or is likely to cause substantial injury to consumers.(Something) which is not reasonably avoidable by consumers.(Something) not outweighed by countervailing benefits to consumers or competition.”

The language here is important, especially the “likely to cause” phrase in the first sentence. That means, as the circular itself says, that “this prong of unfairness is met even in the absence of a data breach.” So banks could be in violation of the law today, even before any problem becomes public, just by tolerating a situation where a breach is “likely” to happen. 

It’s clear that this is a signal from the government that it strongly recommends financial institutions follow the guidance outlined in last year’s Executive Order, as well as understand the importance of phishing resistant authentication solutions. In order to not only stay secure from increasingly sophisticated phishing attacks, phishing-resistant MFA should be part of banks’ plans for everybody in the organization – not just employees at a headquarters building. Now that the CFPB has followed suit, this may be the start of a movement where other regulators also start to focus on this issue.

The 2017 Equifax data breach was particularly called out as an example of something that constituted an “unfair practice,” and Equifax has had to pay the price for putting 147 million consumers’ information in jeopardy. 

Here are a few other “unfair practices” that were explicitly named in the circular as liabilities for a company: 

Not requiring MFA for employees or not offering MFA as an option for consumers. Not having adequate password management policies and practices. In practice that means you should have processes in place to flag employees who are re-using or using default logins and passwords. Not routinely updating systems, software, and code or failing to make critical vulnerability updates when alerted. In practice, that means keeping track of what software is no longer maintained by vendors and understanding how your systems rely on particular third-party software packages. Equifax famously failed to patch a known vulnerability for four months, which gave hackers the access they needed. 

How can you avoid risk if you’re tasked with guarding your employees’ and customers’ most sensitive data? Even if you are not working in the financial services sector, the standards that have now been set for them are a best practice for any company that wants robust security. Take these steps:

Read the CFPB circular and have your own legal team assess your company’s liability (or presumed future liability) based on the standards. If you have not done so in two years, run a full-scale audit of how all employees authenticate and what areas need to be bolstered through phishing-resistant MFA. The audit should extend beyond privileged users to include everybody, especially those working at remote locations or with hybrid work schedules. The audit should include the software updating process to make sure there are no “Equifax-sized” holes in your system.Lay out a roadmap that schedules regular security audits in the future as well as planned security upgrade rollouts. The roadmap should include a communications plan with employees and customers so that no one is caught off guard by a new authentication process or routine. 


For more information on how YubiKey can bring modern authentication to financial services companies, read Yubico’s Financial Services White Paper.

The post Why banks need to act now or risk non-compliance with new Consumer Financial Protection Bureau (CFPB) guidance appeared first on Yubico.


VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.

The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/

Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.

If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.

What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.

Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.